Weitere ähnliche Inhalte
Mehr von RapidSSLOnline.com (20)
Kürzlich hochgeladen (20)
Symantec™ Perfect Forward Secrecy in Info-Graphic
- 1. 0 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
1100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 0110
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
01 01101101 01100001 01101110 01110100 01100101 01100011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 0101001
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 0
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01100011
10111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
1101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
01 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
1 01101101 01100001 01101110 01110100 01100101 01100011
1101110 01110100 01100101 01100011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 011
01010110 01100001 01101100 01110101 01100101 00100000 01101111 01100110 00100000 0
01010110 01100001 01101100 01110101 01100101 00100000 011011
01010011 01111001 01101101 01100001 0110111
01010011 01111001 01101101 01100001 01101110 01110100 01100101 01
Take one look at the numbers, and you’ll see why
it’s worth getting to know Perfect Forward Secrecy
When it comes to security, IT professionals need to think ahead: An eavesdropper
who records traffic today may successfully decrypt it in the future. A solution is to
employ Perfect Forward Secrecy, in which unrecoverable temporary session keys
are generated, used and discarded. When implemented correctly with Elliptic
Curve Cryptography (ECC), Perfect Forward Secrecy is more secure than RSA
algorithms and performs better.
The world isn’t safe, and security risks to
businesses and consumers are growing.
PRISM PROGRAM
Program of the National
Security Administration (NSA)
Revealed by Edward
Snowden in spring 2013
Attempt to gain access to
the private communications
of users of:
Microsoft Yahoo! Google Facebook3
ADOBEZAPPOS.COM LIVINGSOCIAL
24 50 38
million customers
affected5
million customers
affected6,7
million accounts
hacked4
JAN 2012 APR 2013 SEP 2013
RSA
RSA generates a public and
private key to encrypt and decode
messages.
Continued use of recoverable
keys makes stored data
accessible if keys are
compromised in the future
PERFECT
FORWARD SECRECY
With Perfect Forward Secrecy,
keys are randomly generated,
exchanged, and discarded.
Methods include ECDHE (Elliptical
Curve DHE) & DHE (Diffie-Helman,
allows shared secret key exchange).
Past messages are protected
from future attack
Potential performance improvement,
if implemented correctly
All ECDHE servers have ciphers at
least as strong as RSA signatures
Perfect Forward Secrecy can be
cracked if ciphers are weak or
stored incorrectly
4 out of 5 DHE-enabled servers allow
ciphers weaker than RSA signatures12
60%
18%
of hosts10
ECDHE supported by
of hosts11
DHE supported by
Currently the dominant system,
supported by
99.9%
of sites8
CHARACTERISTICS CHARACTERISTICS
Will move from 2048-bit to
4096-bit key size, supported in
2014 by 2% of sites9
2%
2048-bit 4096-bit
SECURITY BENEFITS
256-bit ECC is estimated to be
10,000 times
as tough to crack as RSA.
When ECC is applied to DSA
(called ECDSA), level of
security climbs
160-bit public ECDSA key as
secure as 1024-bit DSA key
By default, ECDHE is properly
configured for security with
efficient 256-bit key size
Requires periodic or
upon-connection new random
key generation
Ephemeral keys cannot be
revealed, so even recorded traffic
is safe
PERFORMANCE BENEFITS
Tests were conducted using Elliptic Curve and RSA for key
exchange and digital signature.
The results?13
For complex page server
requests per second:
For multi-domain page server
requests per second:
with
ECDHE-ECDSA
with
RSA-RSA
with
ECDHE-ECDSA
with
RSA-RSA
Performance improvement of
27%
52%
CPU usage cut about
60% with Elliptic Curve
Perfect Forward Secrecy
better than free in terms
of performance
Done properly, Perfect Forward Secrecy
protects sensitive information yesterday, today,
and tomorrow. What’s more, it does so while
improving performance and user experience.
For more information visit www.symantec.com/SSL or call 1-866-893-6565 or
1-520-477-3111 to speak with a security specialist and find out how certificates
with ECC can offer improved performance and protection for your business.
© 2014 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the
Checkmark Logo, and the Norton Secured Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries.
Other names may be trademarks of their respective owners.
TO
360265 338265
01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
0 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 01111001
10101 01100101 00100000 01101111 01100110 00100000 01000110 01101111 01110010 01110111 01100001 01110010 01100100 00100000 01010011 01100101 01100011 01110010 01100101 01100011 011110
1001 01101101 01100001 01101110 01110100 01100101 01100011
1 01101110 01110100 01100101 01100011
THE VALUE OF
Perfect Forward Secrecy
RSA vs. Perfect Forward Secrecy:
Which provides greater security?
Perfect Forward Secrecy, when implemented with ECC,
offers significant performance and security benefits.
Conclusion
Sources
TIMELINE OF ADDITIONAL DATA BREACHES
Names, encrypted passwords, and encrypted credit and
debit card numbers were among the types of data stolen in
these high-profile breaches.
More than 35% increase Nearly 28% increase
1
Finkle, Jim and Egan, Louise. "'Heartbleed' blamed in attack on Canada tax agency, more expected," Reuters.
2
Yadron, Danny. "Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data," Wall Street Journal.
3
Lee, Timothy B. “Here’s everything we know about PRISM to date,” Wonkblog, WashingtonPost.com.
4
Hsieh, Tony. “Security Email.”
5
Swisher, Kara. “LivingSocial Hacked — More Than 50 Million Customer Names, Emails, Birthdates and Encrypted Passwords
Accessed (Internal Memo),” AllThingsD.com.
6
“Adobe Breach Impacted At Least 38 Million Users,” KrebsOnSecurity.com.
7
Arkin, Brad. “Important Customer Security Announcement,” Adobe Featured Blogs.
8
Huang, Lin-Shung, Adhikarla, Shrikant, Boneh, Dan, and Jackson, Collin. “An Experimental Study of TLS Forward Secrecy
Deployment,” September 2013.
9
Ibid.
10
Ibid.
11
Ibid.
12
Ibid.
13
Ibid.
HEARTBLEED BUG
Online traffic on over half a
million trusted websites
vulnerable starting June 2012
2013
2014
Estimated costs to eCommerce
and online business in the 100s
of millions
Data stolen from the
Canadian Tax Agency1
Names, passwords and other private
information vulnerable to theft
OpenSSL estimated to
encrypt ~2/3 of active
websites across the Internet2
RSARSA PERFECT
FORWARD SECRECY
PERFECT
FORWARD SECRECY